One of the hottest certifications today is the Certified Ethical Hacker (CEH) by EC-Council. Although this cert has been around for several years now, it seems as though 2006 is the year that the IT training industry has caught onto it as well. With numerous books on the general topics of ethical hacking and penetration testing hitting the market in the last 12 months, it was only a matter of time before we started seeing titles for specific certifications in this area.

CBT Nuggets, some of my favorite IT training videos, has added a Certified Ethical Hacker Series to their library of titles. James I. Conrad takes his shot at showing you the ropes in 11 hours of videos broken into 21 nugget-sized chunks. Although this is clearly not enough time to show the viewer everything there is to know about defending your network from hackers, their tools and techniques, it should be plenty of time to get your studies headed in the right direction.

Although this is a video series, and watching never hurt anyone, you are invariably going to want to try out some of the cool stuff that James shows you. Always keep in the front of your mind the fact that the tools and techniques demonstrated in this video series can cause harm. Make sure you have written permission before practicing with any of these tools in a live environment. In addition, your live systems should be in a lab environment with no connections to another network.

As Dan Charbonneau, CBT Nuggets CEO, says, "I actually had a wave of fear hit me as I was half-way through reviewing this series. ‘We can’t sell this.’ That was my gut reaction. It’s too dangerous; it teaches too much; it’s too powerful. My second thought was, ‘We need to sell this to as many people as possible’, thinking it safest if the people being attacked know exactly how to attack, and therefore how to protect."

So, before we get into it, we have to get the legal stuff out of the way:

The information contained in the Certified Ethical Hacker Series is to be used solely for lawful purposes. You will not use the information contained in this training for illegal or malicious attacks, and you will not use such tools in an attempt to compromise any computer system. Further, you agree to indemnify both CBT Nuggets, Inc. and the certification authority EC-Council with respect to the use or misuse of this information, regardless of intent. While we’re at it, add EH-Net and The Digital Construction Company to that list.

Before jumping into the technical aspects of hacking and eventually some live hacking demos, James does the right thing by laying a foundation in the first 4 nuggets. Starting with an explanation of terms as well as a little history of hacking, you get an understanding of the right words to use as well as the consequences of misusing technology. Thus, the most important word to know is “ethical.” One of the tenets of being ethical is proper communication. It is also one of many steps James covers during the Hacking Procedures nugget. Most realize that written permission is essential, but James also does a good job in explaining that the ethical hacker also needs a statement of scope. In other words, how far you are allowed to hack into the systems you’ve been asked to assess. This little piece of advice will save you from legal headaches down the road.

As he continues down the foundational path, James gives you a good look at setting up a virtual lab, a much safer place with which to practice the knowledge he is about to share with you. Of course, as he sets up his virtual lab, you will see not only Windows, but virtual Linux boxes as well. Even though most systems in the world run on Windows, Linux and Unix (for brevity, I will mention Linux only from here on out) are prevalent in the penetration testing world for two main reasons. First of all, your ethical hacking duties will include servers where Linux is still heavily used. Also, many of the tools you will use to perform your tasks are only available for Linux, or, since they were born in a Linux environment, have more capabilities than their Windows brethren. Don’t be afraid. James gives you a quick tour of what you need to know. If you want to delve deeper into Linux, this is not the series for you (See other CBT Nuggets products). But you will get a feel for the basics. This will be the bare minimum for practicing with the tools and should be just enough to get by the exam. Practice on your own with any of the free Linux distributions is highly recommended.

Most think of hacking as just breaking into computer systems, but there are numerous ways to hack for information. For the next 8 nuggets, James takes you on a tour of the smaller hack with Passive Intelligence Gathering, Social Engineering, Network Reconnaissance, Service ID and Enumeration and Vulnerability Assessment. In addition to seeing the latest craze of Google hacking, he also shows you demonstrations of numerous open source and retail products. These smaller hacks can produce a surprising amount of information on an organization, their network and the status of their security which on their own can pose a great threat. But put it all together, and a hack can be truly devastating.

I know. I know… so, where’s the real hacking? Not quite yet. James still has some additional protocol problems to explain to give the viewer an even more detailed look into how and why some systems can be hacked more than others. This includes the use of SNMP and DNS. Originally, these and many other protocols were meant to be used on a trusted network, so security was not even considered. But now with the explosion of the internet, these innocuous protocols are not so innocent anymore. James shows you how numerous tools can glean loads of valuable information from a system including accounts and running processes. You’re one step closer to putting the pieces together to form the perfect hack.

But wait… that’s a hell of a lot of work to just hack one system, isn’t it? Well, sure it is. No one said this was easy or quick. It takes a special kind of person to do this kind of work. If that person is you, the entire process, regardless of how long and tedious it is, is really cool. If you’re not that type of person, the next nugget is for you. The whole point of hacking is to get administrative level access to systems, right? That way, you can have your way with the machine and its resources. So what is the one thing that would make the initial break-in and all of the work that comes along with it unnecessary? Having a password to an administrator or root account. So before showing off his hacking skills, James shows you, using readily available software, how to crack passwords with relative ease and speed.

But why stop there. We haven’t come all this way just to make it that easy. We want goods. Let’s see real hacks on real systems! OK. You asked for it. During the next four nuggets, James methodically takes you through hacking a Windows box, a Linux box, web applications and wireless networks. It’s not fair that he makes it look so easy. And when he’s done, he’s goes you one better by showing you in the final nugget how to cover your tracks. In addition to a live look at the Snort IDS, he even gives you a great tip on how to completely remove logs entries even when Windows wants to keep adding one last entry that the logs have been removed. Cool trick.

Along with showing you a plethora of tools for just about every situation that a budding ethical hacker may encounter, James is also sure to put extra emphasis on tools such as Nmap and ‘Cain and Abel’ among others, stressing that the CEH candidate must know these tools inside and out in order to pass the exam. These little tidbits are very helpful.

This video series shows off the best and the worst of video training as opposed to live, instructor-led classes. Owning this series allows you to go back, pause and replay each nugget to make sure you caught a web address, hint or command line entry. The worst part is that James gets you excited about the field of penetration testing. How is this bad? If you’re like me, you’ll have a million questions pouring out of your head for each and every tool, technique and tip. Without the give and take of a live instructor, you will never truly be able to pick his brain.

James does do a great job of giving you the resources you need to continue your studies. This will come in handy during the setup of your own lab as you begin to experiment with the tools you’ve just seen. This leads me to my final thought. How well will this video series prepare you for the CEH exam?

There are several schools of thought when preparing for an exam whether it be an IT cert or even the CPA exams. One is to learn the material in the order in which they are applied in real life. The other is to prepare by going over the material as it is laid out in the curriculum of the governing body. James chose the former for the CEH series. He does not go bullet point by bullet point saying this tool applies to this module and that concept applies to that module. He takes you through the process hoping that you will not only learn more than what is required for the exam alone, but that you will also be inspired to continue on your own.

With this in mind, only you can make the final decision as to whether you want to add the CBT Nuggets CEH Video Series to your set of study materials. Either way, the CEH candidate or those just looking for additional knowledge should both find the material enlightening and worth your time.

For more insight into which study materials to add to your CEH library, stay tuned as EH-Net will compare this with many other CEH materials in a round-up of books, videos and study guides that will be compiled in the coming months.